https://www.ntia.gov/sites/default/files/publications/sbom_m...

Depending on who you ask an SBOM might not need a hash. NTIA only recommend a hash.